Key Takeaways
- Decentralized finance platforms saw their total value locked plummet to $82.4 billion, marking the sector’s lowest point in twelve months and representing a 25% decline since the beginning of 2026
- Attackers exploited Kelp DAO’s cross-chain infrastructure on LayerZero, siphoning off $292 million in digital assets
- Earlier in the month, the Drift Protocol suffered a devastating $285 million breach—now recognized as Solana’s most significant security incident
- Cybersecurity analysts have connected both breaches to North Korea’s notorious Lazarus Group, suggesting a deliberate state-sponsored operation
- A three-way dispute has erupted between Kelp DAO, Aave, and LayerZero regarding liability distribution, potentially leaving certain rsETH token holders with losses approaching $267 million
The decentralized finance landscape has been rocked by a wave of security breaches that have collectively drained more than $600 million from protocols in less than a month, triggering widespread concern throughout the crypto lending and staking sectors.
On Saturday, attackers compromised Kelp DAO’s bridging mechanism, extracting $292 million from the platform. This incident followed closely on the heels of the Drift Protocol breach, which occurred fewer than three weeks earlier and resulted in approximately $285 million in stolen funds—establishing a new record for the largest single exploit on Solana’s blockchain.
Additional breaches targeting Resolv Labs, Hyperbridge, and Rhea Finance compounded the sector’s troubles. According to blockchain security firm Halborn’s tracking data, DeFi platforms had already sustained $86 million in January losses, $23.5 million in February, and more than $27 million throughout March—all before these two substantial attacks occurred.
Following the Kelp DAO compromise, the aggregate total value locked throughout DeFi protocols declined to approximately $82.4 billion. This represents a sharp 25% contraction from the $110 billion recorded at 2026’s outset and marks the sector’s weakest position in an entire year.
The immediate one-day withdrawal following the Kelp breach reached 5.6%, positioning this drawdown just beneath the 98th percentile for severity when compared against all incidents since 2024. Lending platforms bore the brunt of the exodus, experiencing roughly 13% declines in TVL.
The Mechanics Behind the Kelp DAO Breach
The perpetrators exploited vulnerabilities in the data validation process feeding into Kelp’s cross-chain bridging system, which operated on LayerZero’s infrastructure. The protocol authenticated message origins without verifying the accuracy of message contents.
Kelp had implemented its bridge using just a single verifier—one approval mechanism for authorizing cross-chain transactions. This design eliminated a critical security redundancy in favor of enhanced transaction speed and operational simplicity.
“The security failure is simple: a signed lie is still a lie,” said Alexander Urbelis, CISO at ENS Labs. “Signatures guarantee authorship; they do not guarantee truth.”
LayerZero subsequently clarified that the vulnerability stemmed from Kelp’s configuration decisions and has since advocated for implementing multiple independent verification systems. Industry observers contested this assessment, highlighting that LayerZero’s standard configuration already defaulted to single-verifier setups.
Following the attack, the compromised assets were deposited as collateral within Aave’s lending protocol. Aave responded by freezing all rsETH transactions on its platform to contain potential damage, effectively immobilizing billions in user deposits and creating liquidity constraints across various stablecoin markets.
Determining Loss Distribution
Blockchain intelligence provider Arkham Intelligence outlined two potential scenarios for Kelp DAO’s recovery approach. The first option involves distributing losses proportionally among all rsETH token holders, requiring each participant to absorb approximately 16% in reductions. The alternative approach would shield Ethereum mainnet participants from losses, forcing Layer 2 network users to shoulder the majority of damages, potentially exposing Aave users to losses as high as $267 million.
Kelp DAO, Aave, and LayerZero are currently pointing fingers at each other. Yearn Finance developer Banteg wrote on X: “Everyone has lawyered up and going full PvP on each other.”
Preliminary forensic analysis has connected both the Kelp and Drift breaches to North Korea’s state-sponsored Lazarus Group. Cybersecurity professionals interpret this pattern as evidence of a systematic, government-coordinated offensive rather than unrelated opportunistic strikes.
“This is not a series of incidents; it is a cadence,” Urbelis said.
